-
Notifications
You must be signed in to change notification settings - Fork 233
78 lines (68 loc) · 3.17 KB
/
scan_docker_image_dependencies.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
name: Scan Rasa SDK App Dependencies
on:
workflow_dispatch:
jobs:
scan_and_alert:
runs-on: ubuntu-22.04
steps:
- name: Checkout repository to check tags
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
- name: Get latest tagged release
id: find-tag
run: |
git fetch --depth=1 origin "+refs/tags/*:refs/tags/*"
echo "tag=$(git tag | sort -r -V | grep -E "^[0-9]+.[0-9]+.[0-9]+$" | head -n1)" >> $GITHUB_OUTPUT
- name: Scan image for language dependency vulnerabilities
id: trivy
uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac
continue-on-error: true
with:
exit-code: '1'
format: 'table'
severity: 'MEDIUM,HIGH,CRITICAL'
ignore-unfixed: true
security-checks: 'vuln'
image-ref: 'rasa/rasa-sdk:${{ steps.find-tag.outputs.tag }}'
vuln-type: 'library'
scan-type: 'image'
output: scan-result.txt
- id: auth-security-reports
name: Authenticate with gcloud for saving report 🎫
uses: 'google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955'
with:
credentials_json: '${{ secrets.GCP_WRITE_PUBLIC_SECURITY_REPORTS_KEY }}'
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@d51b5346f85640ec2aa2fa057354d2b82c2fcbce
- name: Get current date
id: date
run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
- name: Upload scan report to GCS
run: |
gsutil -h "Content-Type:text/plain; charset=utf-8" -h "Cache-Control:public, max-age=0, no-transform" cp scan-result.txt gs://${{ secrets.GCP_SECURITY_REPORTS_BUCKET }}/rasa-sdk-dependency-report-${{ steps.find-tag.outputs.tag }}-${{ steps.date.outputs.date }}.txt
- name: Alert Slack on findings
if: steps.trivy.outcome == 'failure'
uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844
with:
channel-id: 'C01M5TAHDHA,C04Q26JSD6U'
payload: |
{
"text": "Dependency vulnerabilities have been found in the Docker image for Rasa SDK ${{ steps.find-tag.outputs.tag }} that could impact customer deployments. Please schedule these for resolution.",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "Dependency vulnerabilities have been found in the Docker image for Rasa SDK ${{ steps.find-tag.outputs.tag }} that could impact customer deployments. Please schedule these for resolution depending on their severity:\n - Critical: This sprint. \n - High: Next sprint. \n - Medium or Low: Add to backlog."
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<https://storage.googleapis.com/${{ secrets.GCP_SECURITY_REPORTS_BUCKET }}/rasa-sdk-dependency-report-${{ steps.find-tag.outputs.tag }}-${{ steps.date.outputs.date }}.txt|View Scan Report>"
}
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_CODESECURITY_BOT_TOKEN }}